Increasingly, information produced by one client must be shared by other clients connected through a computer network. The information may be kept on one or more storage systems also connected to the network. Such networks often interconnect many clients throughout an organization, some of whom are excluded from access to the information. The network may also support connections to public networks, such as the Internet, providing the possibility of unauthorized access from outside of the organization.
Storage systems used to hold shared information may include disk arrays for short term, high speed access of information, tape management systems for long term, high volume storage, and other types of storage devices. Such storage systems are often managed by centralized information systems groups which neither produce nor consume the information. These information systems groups are responsible for the security and integrity of information stored within the storage systems, and often have access to the stored information.
In order to protect information from being accessed by a client outside of an organization, a firewall may be placed between the organization's network and an external network. The firewall limits the types of information that may enter and exit the organization's network. While providing some level of protection from external access, the firewall will not protect stored information from access by an excluded client within the organization. Servers or hosts may be used to limit information access within the organization's network. However, the host manager may still have access to the information protected by the host.
Certain types of information produced and used within an organization must be kept secure. This information includes financial figures, personnel data, health information, business plans, trade secrets, and the like. A client producing such information should be able to store this information in an untrusted storage device in a manner that permits authorized clients to access the information while denying access to all others, including host managers and information systems personnel.
One method to protect information is to encrypt the information using a key and then store the encrypted information as a data set on one or more untrusted storage devices. Two types of encryption may be used, symmetric and asymmetric. In symmetric encryption, the same key is used to encrypt and decrypt the information. Various types of symmetric encryption which are known in the art include the Data Encryption Standard (DES) algorithm as described in Federal Information Processing Standard Publication 46-1; the Improved DES (IDES) algorithm as described in U.S. Pat. No. 5,214,703 titled “Device For The Conversion Of A Digital Block And Use Of Same”; and the RC-5 algorithm as described in U.S. Pat. Nos. 5,724,428 and 5,835,600 both titled “Block Encryption Algorithm With Data-Dependent Rotations”; each of which is incorporated herein by reference.
In asymmetric encryption, a first key is used to encrypt the information and a second key is used to decrypt the information. Typically, the first key is a public key which is widely known and the second key is a private key which is known only to authorized clients. Various forms of asymmetric encryption are known in the art, including the Diffie-Hellmean algorithm as described in U.S. Pat. No. 4,200,770 titled “Cryptographic Apparatus And Method”; and U.S. Pat. No. 4,405,829 titled “Cryptographic Communications System And Method”; each of which is incorporated by reference herein. In order to share encrypted information, the key or keys must be known to all clients for which access has been granted. This creates several difficulties. First, if authorization is to be removed from a client, the information must be reencrypted using a new key unknown to the excluded client. Second, it may be difficult to implement complex combinations of clients and groups of clients.
Another possible solution is to encrypt the information into a data set as above and to create a prefix associated with the data set that contains a listing of each client authorized to access the information contained in the data set. The public key for each client is used by a host to encrypt the key required to decrypt the data set. The encrypted data set key for each client to which access is granted is also stored in the prefix. Several difficulties arise with this technique. First, the association of a prefix with a data set implies that the prefix and data set should be placed together in long term storage. This means that the storage device holding the prefix must be accessed in order to change the listing of clients authorized to access the information. In the case of backup or archiving to, for example, magnet tape, the tape must be obtained and loaded before the access list can be modified. A second difficulty arises if a client is to be added to the list of authorized clients in the prefix once the prefix has been created. In order to add a client, the private key for an authorized client must be obtained, the data set encryption key decrypted using the private key, and the data set encryption key reencrypted using the public key of the new client. A first implementation option is to permit new clients to be added only by an existing client, restricting access control onto to existing clients. A second option is to have an authorized client surrender its private key, creating a potential breach in security. A third difficulty arises in projects where a group of clients may have to access thousands of information sets, such as with software development. Changing authorization may require accessing the prefix for each information set. A fourth difficulty arises in attempting to implement combinations of client groups, such as granting access to any client which is a member of a first group or a member of a second group.
What is needed is the ability to store secure information on one or more untrusted storage devices that allows flexibility in controlling access to the information. Access should be permitted based on combinations of client groups. Membership in these groups should be modifiable without requiring access to the storage device containing the encrypted information. Information should be encrypted before leaving a producer client and should stay encrypted until received by a consumer client.